CVE-2024-47220

NameCVE-2024-47220
DescriptionAn issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1082633

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-webrick (PTS)sid, trixie, bookworm1.8.1-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-webricksource(unstable)(unfixed)1082633

Notes

[bookworm] - ruby-webrick <no-dsa> (Minor issue)
https://github.com/ruby/webrick/issues/145
Fixed by: https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7
Search for package or bug name: Reporting problems